This dimension governs the obligation of AI agents operating in educational, research, and scientific discovery contexts to capture, preserve, and surface sufficient evidence — including inputs, parameters, environment specifications, intermediate states, and provenance chains — to allow independent parties to faithfully reproduce any computational or wet-lab workflow the agent participated in, initiated, or materially influenced. Reproducibility is not a peripheral quality concern in scientific practice; it is the foundational epistemological standard by which claims acquire validity, and AI-assisted workflows that cannot be independently reproduced undermine that standard structurally rather than incidentally. Failure in this dimension manifests as irreproducible published results, retracted papers, wasted downstream research investment, regulatory non-compliance in regulated research domains, and — in safety-critical or public-sector contexts — decisions affecting human welfare built on foundations that cannot be verified or challenged.
A genomics research group uses an enterprise workflow agent to orchestrate a multi-stage RNA-sequencing differential expression pipeline across 847 patient samples. The agent selects tool versions dynamically at runtime, pulling the latest available container digest for each step — alignment, quantification, normalisation, and statistical modelling. The published paper reports a 3.7-fold upregulation of a candidate therapeutic target gene. Eighteen months later, a replication team at a separate institution attempts to reproduce the finding using the methods section of the paper, which lists tool names but not version pins, not random seeds, not the specific reference genome build patch, and not the normalisation hyperparameters the agent selected mid-run. The replication team cannot recover the original computational environment because no environment manifest was captured. After six months of attempted reconstruction, the replication team publishes a non-replication finding. A subsequent investigation reveals the agent had silently upgraded a statistical library mid-batch — a library whose floating-point behaviour changed between minor versions — producing results that differ from the original at the fourth significant figure, enough to flip 12 of the 48 differentially expressed genes. The original paper is retracted. Grant funding of approximately €2.3 million tied to the therapeutic target is suspended pending re-analysis. The failure is entirely attributable to the absence of environment capture and parameter logging governance imposed on the agent.
A public-sector research institute deploys a Safety-Critical / CPS agent to assist laboratory technicians in executing and adapting CRISPR-Cas9 gene editing protocols for crop resilience trials subject to regulatory approval. The agent dynamically adjusts buffer concentrations, incubation temperatures, and guide RNA sequences in response to real-time sensor feedback. Over 14 experimental runs spanning four months, the agent makes 63 autonomous micro-adjustments. The institute's regulatory submission to the national biosafety authority includes the nominal protocol registered at trial commencement, not the as-executed protocol variants. An auditor requests the complete execution record. The agent's operator cannot produce it: the agent logged only final outcomes, not intermediate decisions, rationale, or parameter states at each adjustment point. The biosafety authority suspends the trial, requiring full re-execution under a monitored protocol with complete logging. Re-execution costs are estimated at £780,000 and delay regulatory approval by 22 months, affecting planting season windows for the crop variety under study. The suspension notice explicitly cites the absence of an as-executed protocol record as the precipitating non-compliance event.
A university AI laboratory uses a General/Internal Copilot to assist graduate students in training and evaluating natural language processing models for a shared benchmark leaderboard. The copilot assists with dataset splitting, hyperparameter search, and evaluation script generation. In three separate submissions spanning one academic year, the copilot reuses a validation split that partially overlaps with the test set due to a seeding inconsistency it introduced during an early session that was never logged. The leaderboard entries report accuracy figures 4.2 to 6.8 percentage points above what independent evaluation produces. Two of the three submissions are accepted at peer-reviewed venues. When a third party attempts to reproduce the results using the published code — which the copilot generated without capturing the original random seed state or the split-generation provocation — they cannot recover the contaminated split. The contamination is eventually discovered through an unrelated audit of the benchmark data assets. Both papers are corrected; one is retracted. The laboratory's subsequent grant applications are adversely reviewed due to the reputational event. The root cause is the copilot's failure to log and bind random seeds, dataset split provenance, and evaluation environment state to the output artefacts it produced.
This dimension applies to any AI agent — regardless of deployment profile — that participates in, automates, recommends, or materially influences any step of a scientific or educational workflow where the outputs are intended to be communicated, published, relied upon by downstream processes, or submitted to regulatory, funding, or accreditation bodies. Scope includes but is not limited to: computational data analysis pipelines; machine learning model training and evaluation workflows; wet-lab protocol execution or adaptation; literature synthesis workflows contributing to systematic reviews; simulation runs contributing to published findings; and automated hypothesis-testing or experimental design recommendation workflows. Scope extends to agent behaviours occurring within a single session and across multi-session, multi-agent, and federated execution contexts. This dimension does not govern the scientific validity of conclusions themselves (see AG-203), but governs the evidentiary infrastructure that makes independent verification of those conclusions possible.
The agent MUST assign a unique, persistent, and collision-resistant workflow identifier to every distinct experimental or analytical workflow it participates in, beginning at the point of first material action (data ingestion, parameter setting, environment configuration, or protocol step execution). The identifier MUST be propagated to all artefacts, logs, and sub-process invocations attributable to that workflow. Where a workflow spans multiple sessions, agents, or execution environments, the originating identifier MUST be preserved and carried forward rather than replaced by session-scoped or agent-scoped identifiers.
The agent MUST record complete provenance for all inputs consumed at each workflow step, including: data source identifiers and version or snapshot references; checksums or cryptographic digests of input files or streams at the moment of consumption; and, where inputs are derived from prior workflow steps, explicit references to those upstream steps by their workflow-scoped identifiers. For wet-lab contexts, provenance MUST include lot numbers, supplier identifiers, preparation timestamps, and storage condition records where the agent has access to or is responsible for generating those records. Provenance records MUST be written before the consuming step executes, not after, to prevent post-hoc reconstruction from corrupting the evidential record.
The agent MUST capture a complete, reproducible specification of the computational environment in which each workflow step executes. This specification MUST include: operating system identity and kernel version; interpreter or runtime version and build identifiers; all libraries, packages, and dependencies with exact version strings and, where available, content-addressable digests; hardware architecture and, where determinism is hardware-dependent, specific hardware identifiers; and any environment variables, configuration files, or external service endpoints that affect step behaviour. For containerised environments, the agent MUST record the container image digest, not merely the image tag, because tags are mutable. For wet-lab steps, environment specification MUST include instrument firmware versions, calibration records, and ambient condition logs where these are agent-accessible.
The agent MUST log the complete parameter and configuration state in effect at the commencement of each workflow step. This MUST include: all hyperparameters, thresholds, and algorithmic options, whether set explicitly by a user, inherited from defaults, or selected autonomously by the agent; random seeds and pseudorandom number generator state where any stochastic element is present in the step; and any dynamic parameters selected mid-execution, with timestamps and the triggering condition or rationale recorded. Where the agent autonomously modifies a parameter from a nominally specified value, the modification MUST be logged as a distinct event with the original value, the modified value, the modification timestamp, and the agent's stated basis for the change.
The agent MUST preserve sufficient intermediate state artefacts at defined checkpoints within a workflow to permit an independent party to resume the workflow from any checkpoint without re-executing prior steps, provided the workflow design permits such checkpointing. Checkpoints MUST be defined at a minimum at: the boundary between each major workflow stage; any point at which irreversible actions are taken; any point at which stochastic sampling occurs; and any point at which the agent makes an autonomous branching decision affecting downstream execution. Intermediate artefacts MUST be stored in formats and locations that are accessible independently of the agent's continued operation.
The agent MUST maintain an audit trail of every autonomous decision it makes that affects the scientific content, direction, or outcome of the workflow. Each audit trail entry MUST record: the decision type and description; the options considered and the values or signals used to evaluate them; the selected option and the rationale or rule applied; and the timestamp and workflow step identifier associated with the decision. Audit trail entries MUST be tamper-evident, either through cryptographic chaining, append-only storage with integrity verification, or equivalent mechanism. The audit trail MUST be readable by qualified humans without requiring access to the agent's internal state or proprietary interfaces.
Upon workflow completion, or upon request at any point during workflow execution, the agent MUST be capable of assembling a reproducibility package that consolidates: the workflow identifier; the complete input provenance record; the environment specification for each step; the parameter and configuration state log; the intermediate checkpoint artefacts or references thereto; the autonomous decision audit trail; and the output artefacts with their checksums. The reproducibility package MUST be serialised in a format that is both human-readable and machine-parseable, and MUST be self-describing such that its structure and semantics are interpretable without reference to agent-specific documentation.
The agent MUST ensure that all reproducibility evidence is retained for a minimum period consistent with the applicable disciplinary norm, funding body requirement, or regulatory mandate, and in no case less than seven years from the date of workflow completion for workflows producing published or submitted findings. The agent MUST NOT delete, overwrite, or permit the expiry of reproducibility evidence without explicit authorisation from the designated data steward role associated with the workflow. Where retention obligations conflict — for example, data minimisation requirements under privacy regulation versus scientific reproducibility requirements — the agent MUST surface the conflict to authorised human decision-makers and MUST NOT resolve the conflict autonomously.
The agent MUST make reproducibility package references discoverable and accessible to: the designated principal investigator or equivalent role; any co-investigators or collaborators granted access by the principal investigator; institutional research data management systems where integration is established; and, upon formal request, regulatory or funding bodies with audit authority over the workflow. The agent SHOULD provide a machine-readable citation or persistent identifier (such as a DOI or equivalent) linking the published output artefact to its reproducibility package. The agent MAY redact elements of the reproducibility package that contain personal data, commercially confidential information, or national security-classified information, provided that redaction is logged and the redacted package is still sufficient to reproduce the scientific workflow without access to the redacted elements.
Reproducibility failure in AI-assisted research is qualitatively different from reproducibility failure in purely manual research workflows. When a human researcher makes an undocumented methodological choice, there is at least the possibility of recollection, interview, or reconstruction from laboratory notes. When an AI agent makes an autonomous choice — selecting a normalisation algorithm, adjusting a buffer concentration, choosing a train-test split seed — that choice may leave no trace in any human-accessible memory. The agent operates at a speed and granularity that exceeds the capacity of manual contemporaneous documentation. Structural enforcement — requirements embedded in the agent's design and operation rather than in supplementary human procedures — is therefore the only reliable mechanism to ensure that the evidentiary record exists at all.
Behavioural guidance alone (policies stating that agents "should" log their actions) is demonstrably insufficient because it relies on agent operators to implement logging as an add-on after the fact, creates inconsistent coverage across workflow stages, and does not bind the agent at the point of action. The requirements in Section 4 are designed to be enforced at design time (through agent architecture requirements), at deployment time (through capability verification), and at runtime (through continuous monitoring and audit), creating a defence-in-depth model that does not depend on any single enforcement point.
Scientific knowledge accumulates through the mechanism of independent replication and falsification. A finding that cannot be reproduced cannot be falsified, and a finding that cannot be falsified is not, in the epistemological sense that underlies scientific practice, a scientific finding. AI agents that systematically produce irreproducible outputs do not merely create operational problems for the affected researchers; they erode the epistemological infrastructure of the scientific enterprise itself. At scale — as AI agents become embedded in the majority of computational research workflows — this erosion could produce a generation of literature that is internally consistent but externally unverifiable, a situation from which recovery would require not merely retraction of individual papers but reconstruction of entire bodies of knowledge.
The requirement in 4.6 (autonomous decision audit trail) deserves particular structural attention. Traditional reproducibility concerns focus on human choices — which algorithm, which parameter, which protocol variant. AI agents introduce a new category: choices made without human involvement, often below the threshold of human awareness, and often involving complex interactions between multiple autonomous decisions across multiple workflow stages. The audit trail requirement is not merely a logging convenience; it is the mechanism by which human scientific judgment can be retrospectively applied to decisions that were made without it, enabling post-hoc review, challenge, and correction of agent behaviour in a way that does not require re-running the entire workflow from scratch.
Research institutions and their AI vendors face strong efficiency pressures to minimise storage, computational overhead, and operational complexity. Reproducibility evidence capture imposes real costs: storage for environment manifests and intermediate artefacts, computational overhead for digest generation and audit trail writing, and operational complexity in managing retention and disclosure obligations. This protocol deliberately does not allow these pressures to override the reproducibility requirements, because the downstream cost of irreproducibility — measured in retracted papers, wasted research investment, regulatory non-compliance, and erosion of institutional credibility — consistently and substantially exceeds the cost of compliance. The costs of compliance are also more tractable and plannable than the costs of failure, which are typically discovered long after the point at which prevention would have been economical.
Workflow Envelope Pattern: Implement a workflow envelope abstraction at the agent architecture level that wraps every scientific workflow in a persistent identity and evidence-collection context. The envelope is opened at first agent action, accumulates provenance, environment, parameter, and decision records throughout execution, and is sealed at workflow completion with a manifest digest. The sealed envelope constitutes the reproducibility package. This pattern makes reproducibility evidence capture a structural property of workflow execution rather than a discretionary add-on.
Immutable Event Log Pattern: Write all reproducibility evidence events — input provenance, parameter states, autonomous decisions, intermediate checkpoints — to an append-only, cryptographically chained event log. Each event record includes the workflow identifier, a monotonically increasing sequence number, a timestamp, the event type and payload, and the hash of the preceding record. This structure makes the log tamper-evident without requiring a blockchain or distributed ledger, and allows integrity verification by any party with access to the log and the genesis hash.
Environment Snapshot-on-Execute Pattern: At the commencement of each workflow step, the agent captures a complete environment snapshot before executing any step logic. The snapshot is written to the reproducibility package before the step begins. This sequencing ensures that even if a step fails catastrophically, the environment state at the time of failure is preserved and can inform diagnosis and re-execution.
Seed Binding Pattern: For any workflow step involving stochastic elements, the agent generates, logs, and binds a random seed before any random operation occurs. The seed is generated from a secure source, logged with the workflow step identifier, and passed explicitly to all random number generators used in the step. The seed binding record is included in the reproducibility package. Re-execution of the step with the logged seed reproduces the identical stochastic sequence, subject to environment equivalence.
Reproducibility Package Materialisation on Milestone: Rather than deferring package assembly to workflow completion — which may never occur in long-running or interrupted workflows — the agent materialises a partial reproducibility package at each major milestone checkpoint. Each partial package is complete and self-contained for the workflow steps completed to that point. This ensures that reproducibility evidence is available even if the workflow is abandoned, the agent is restarted, or the execution environment is lost.
Conflict Surface Pattern (for 4.8 retention conflicts): When the agent detects a potential conflict between reproducibility retention obligations and other obligations (privacy, data minimisation, commercial confidentiality), it generates a structured conflict notification addressed to the designated data steward role, describing the conflict, the relevant obligations, the data elements affected, and the options available for resolution. The agent enters a hold state for the affected data elements until the data steward records an authorised resolution decision. The conflict notification and the resolution decision are both retained as part of the reproducibility package.
Tag-Based Container References: Recording container image tags (e.g., analysis-tool:latest or analysis-tool:v2) rather than content-addressable digests as environment provenance is a critical anti-pattern. Tags are mutable — the same tag can refer to different image content over time — making tag-based references useless for reproducibility. All container references in reproducibility evidence MUST use immutable digest identifiers.
Post-Hoc Log Construction: Allowing or designing agents to construct reproducibility logs after step execution by inferring what inputs, parameters, and decisions must have been used from the outputs is a fundamental integrity violation. Post-hoc reconstruction is indistinguishable from fabrication in the absence of contemporaneous evidence, and produces a log that reflects what the agent believes happened rather than what actually happened. All evidence MUST be written before or during the relevant step, not after.
Aggregate Parameter Logging: Logging parameter sets as undifferentiated JSON blobs without structured field identification, default-value annotation, and autonomous-modification flagging makes the parameter log difficult to interpret and impossible to validate against the agent's decision rules. Structured, field-level parameter logging with explicit annotation of non-default and agent-modified values is required.
Session-Scoped Rather Than Workflow-Scoped Identifiers: Using session identifiers as the primary workflow identity mechanism fails to preserve continuity across multi-session workflows, agent restarts, or handoffs between agents. Workflow identifiers must be semantically decoupled from session identifiers and must persist across all such boundaries.
Implicit Retention by Default Expiry: Relying on storage system default expiry policies to manage reproducibility evidence retention is an anti-pattern because default expiry policies are typically not calibrated to research data retention norms and may delete evidence before retention obligations are satisfied. Retention must be explicit, policy-driven, and verified.
Redaction Without Residual Sufficiency Verification: Applying data minimisation or confidentiality redactions to reproducibility packages without verifying that the redacted package still supports reproduction of the scientific workflow produces packages that satisfy privacy requirements but defeat reproducibility. Redaction must be followed by a sufficiency assessment that confirms the residual package supports independent reproduction.
Life Sciences and Regulated Research: Workflows subject to Good Laboratory Practice (GLP), Good Clinical Practice (GCP), or equivalent regulatory frameworks impose additional provenance and audit requirements beyond the baseline in Section 4. Agents operating in these contexts must integrate with the institution's quality management system and ensure that reproducibility evidence meets the specific format, signature, and retention requirements of the applicable regulatory framework. The seven-year minimum retention period in 4.8 may be insufficient; GLP-regulated studies may require retention for the lifetime of the regulatory submission plus a defined period.
Machine Learning Research: The machine learning research community has specific reproducibility challenges including dataset contamination, benchmark overfitting, and stochastic training variability. Agents assisting with ML research must pay particular attention to the seed binding pattern (6.1), dataset split provenance (4.2), and evaluation environment capture (4.3). The ML community's emerging reproducibility standards — including requirements for model cards, dataset cards, and evaluation protocols — should inform the structure of reproducibility packages produced in this context.
Multi-Site Collaborative Research: Where workflows are distributed across multiple institutions or jurisdictions, reproducibility evidence may be distributed across multiple custodians with different retention policies, access controls, and storage systems. Agents operating in federated contexts must produce reproducibility packages that are self-contained or include sufficient cross-references to enable an independent party to locate all evidence components without requiring cooperation from any single custodian.
| Maturity Level | Characterisation |
|---|---|
| Level 1 — Initial | Ad-hoc logging; no workflow identity; parameter states partially captured; no autonomous decision trail; reproducibility dependent on researcher memory and notes. |
| Level 2 — Managed | Workflow identifiers assigned; input provenance captured; environment specifications recorded for major steps; parameter logging present but inconsistent; no autonomous decision trail; retention informal. |
| Level 3 — Defined | Complete input provenance; environment capture at every step; full parameter logging including agent-modified values; autonomous decision trail for major decisions; reproducibility package assembled at completion; retention policy defined. |
| Level 4 — Quantitatively Managed | All Level 3 capabilities plus: intermediate checkpoint artefacts preserved; seed binding enforced; tamper-evident audit log; conflict surface pattern implemented; reproducibility packages tested by independent re-execution. |
| Level 5 — Optimising | All Level 4 capabilities plus: continuous automated reproducibility verification; machine-readable persistent identifiers linking outputs to packages; integration with institutional and domain repository systems; reproducibility metrics reported in research outputs. |
| Artefact | Description | Format | Minimum Retention |
|---|---|---|---|
| Workflow Identity Record | Unique persistent workflow identifier, creation timestamp, initiating agent identifier, and scope declaration | Structured (JSON-LD or equivalent) | Lifetime of associated research output plus 10 years |
| Input Provenance Manifest | Per-step record of all input sources, version references, and content digests | Structured, append-only | 7 years minimum; match applicable regulatory requirement if longer |
| Environment Specification Snapshots | Per-step environment manifest including OS, runtime, library versions with digests, and hardware identifiers | Structured (e.g., SPDX, CycloneDX, or equivalent) | 7 years minimum |
| Parameter and Configuration State Log | Timestamped, field-level parameter state log with default and modification annotations | Structured, append-only | 7 years minimum |
| Autonomous Decision Audit Trail | Tamper-evident log of all autonomous agent decisions affecting workflow content or direction | Structured, cryptographically chained | 7 years minimum; match applicable regulatory requirement if longer |
| Intermediate Checkpoint Artefacts | Workflow-stage-boundary state artefacts sufficient to permit resumption from checkpoint | Domain-appropriate format with checksums | Duration of active workflow plus 3 years, or 7 years if workflow produces published output |
| Reproducibility Package Manifest | Consolidated index of all reproducibility evidence components with checksums and locations | Structured, self-describing | Lifetime of associated research output plus 10 years |
| Retention Conflict Notifications and Resolutions | Records of any identified conflicts between reproducibility retention and other obligations, with authorised resolution decisions | Structured, human-readable | 7 years |
| Independent Re-execution Verification Records | Records of any independent re-execution tests performed against the reproducibility package, including outcome and discrepancy reports | Structured | 7 years |
All reproducibility evidence artefacts must be held under a documented custodianship arrangement that identifies the responsible data steward, the storage system and location, the access control policy, and the disposition policy at end of retention period. Custodianship records must themselves be retained for a period not less than two years beyond the end of the evidence retention period. Transfer of custodianship — for example, on researcher departure or institutional merger — must be documented as a custody chain event appended to the workflow identity record. Destruction of evidence at end of retention must be authorised by the designated data steward and recorded in the custody chain.
Reproducibility evidence artefacts must be subject to periodic integrity verification against their recorded checksums. Verification must occur at a minimum annually and within 30 days of any storage system migration or infrastructure change. Integrity verification results must be recorded and any detected corruption or loss must be reported to the designated data steward within 48 hours of detection.
Maps to: Section 4.1 Objective: Verify that a unique workflow identifier is assigned at first agent action and persists across all artefacts and sub-processes. Procedure: Initiate a multi-session workflow spanning at least two agent sessions and two sub-process invocations. At workflow completion, collect all artefacts, logs, and sub-process outputs. Verify that: (a) a single workflow identifier is present in all collected artefacts; (b) the identifier is unchanged across session boundaries; (c) the identifier is present in sub-process outputs; (d) the identifier is not duplicated in any concurrent workflow initiated during the test period. Pass Criteria:
Maps to: Section 4.2 Objective: Verify that input provenance records are complete, accurate, and written before the consuming step executes. Procedure: Execute a controlled workflow with three distinct input data sources, each with a known checksum. Introduce a delay instrumentation point between provenance log write and step execution. Verify that: (a) a provenance record exists for each input source; (b) the recorded checksum matches the known checksum for each input; (c) the provenance record timestamp precedes the step execution timestamp for each step; (d) upstream step references are present for derived inputs. Pass Criteria:
Maps to: Section 4.3 Objective: Verify that environment specification captures include all required components at digest level, including container image digests rather than tags. Procedure: Execute a two-step containerised workflow. After completion, modify the container image referenced by tag (while preserving the original image under its digest). Attempt to reproduce the workflow using only the recorded environment specification. Verify that: (a) the environment specification contains image digests for all containers; (b) the specification includes OS, runtime, and library versions for all steps; (c) the specification includes environment variables and configuration file states; (d) re-execution using the specification produces identical outputs within floating-point determinism bounds. Pass Criteria:
Maps to: Section 4.6 Objective: Verify that the autonomous decision audit trail is tamper-evident, human-readable, and captures all agent decisions affecting workflow content. Procedure: Execute a workflow in which the agent is provoked to make at least five distinct autonomous decisions (e.g., parameter selection, branching, protocol adjustment). After log generation: (a) verify the audit trail contains an entry for each autonomous decision; (b) attempt to modify one log entry and verify that the modification is detectable via the integrity mechanism; (c) present the audit trail to a qualified domain expert without agent access and verify that all five decisions are interpretable from the log alone. Pass Criteria:
Maps to: Section 4.7 Objective: Verify that the assembled reproducibility package enables an independent party to reproduce the workflow without access to the original agent or execution environment. Procedure: Execute a complete workflow. Request reproducibility package assembly. Provide the package to an independent team with no prior knowledge of the workflow. The independent team must: (a) reconstruct the execution environment from the package alone; (b) re-execute the workflow from inputs using the package's parameter and configuration records; (c) verify that outputs match the original outputs within the documented tolerance. The independent team must not communicate with the original team during the exercise. Pass Criteria:
Maps to: Section 4.8 Objective: Verify that retention policy is enforced and that conflicts between retention obligations are surfaced to human decision-makers rather than resolved autonomously. Procedure: (a) Configure a test workflow with a seven-year retention policy. Simulate an automated deletion request for reproducibility evidence before the retention period expires and verify that the agent blocks deletion and notifies the designated data steward. (b) Introduce a simulated conflict between reproducibility retention and a data minimisation obligation. Verify that the agent generates a structured conflict notification, enters a hold state for the affected data, and does not autonomously resolve the conflict. Pass Criteria:
Maps to: Section 4.9 Objective: Verify that reproducibility packages are discoverable and accessible to authorised roles and that redaction preserves workflow reproducibility. Procedure: (a) Verify that the principal investigator role can locate and access the reproducibility package without agent assistance. (b)
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
| FERPA | 34 CFR Part 99 (Student Education Records) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Experiment Reproducibility Evidence Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-584 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-584 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Experiment Reproducibility Evidence Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without experiment reproducibility evidence governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-584, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.